Conditions on the generator for forging ElGamal signature 



Omar Khadir 

Laboratory of Mathematics, Cryptography and Mechanics, 

; Department of Mathematics, Fstm 

O University of Hassan II-Mohammedia, Morocco 
(N 

ctf 

hj ; 

Abstract 

This paper describes new conditions on parameters selection that lead to an efficient algo- 
rithm for forging ElGamal digital signature. Our work is inspired by Bleichenbacher's ideas. 
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1 Introduction 



Numerous digital signature algorithms have been developed since the invention of the 
public key cryptography in the late 1970s[3,15,14]. They almost all have the same princi- 
^ ! pie. Every user possesses two kinds of keys. The first one is private, must be kept secret 

and stored only locally. The second is public and must be largely diffused to be accessible 
to the others users. To sign a particular message, a contract or a will M, Alice has to 
solve a hard mathematical equation depending of M and of her public key. With the help 
of her private key, she is able to furnish the solutions. Bob, the judge or anybody, can 
verify that the solutions computed by Alice are valid. For an adversary, without knowing 
Alice private key, the algorithm is constructed in such a way that it is computationally 
too hard to solve the considered equation. 

One of the most popular signature algorithm was proposed by ElGamal[4]. It has many 
variants[16,17,9,5] and is based on the hard discrete logarithm problem. Since its con- 
ception in 1985, several attacks were mounted and have revealed possible weaknesses if 
the signature keys were not carefully selected[2, 1,10,13]. However, no general method for 
breaking totally the system is known. 
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In an ElGamal signature protocol, a signer, in addition to his private key, must detain 
three other integer parameters (p,a,y) as a public key. In 1996, Bleichenbacher[2] pre- 
sented a cryptanalysis where he showed that if the generator a and the modulus p verify 
some special relations, it is possible to forge ElGamal signature for any arbitrary message. 
In particular, he proved that, the signature scheme becomes insecure when parameters a 
and p are chosen such that a divides p — 1. Hence, selecting a = 2 is imprudent. 
The purpose of our work, is to describe new conditions on parameters selection that lead 
to an efficient algorithm for forging ElGamal signature for any arbitrary message. As an 
extension of Bleichenbacher's result, we show that, if the modular inverse of the generator 
a divides p — 1, then it is possible to break the system. As an example, the choice of 
a = ^~~2 — as a generator, is not recommended. 

The paper is organized as follows. Section 2 contains preliminaries which will be utilized 
in the sequel. Our contribution, mainly composed by Algorithm 2 and Corollary 3, is 
presented in section 3. We conclude in section 4. 

Throughout this article, we will adopt ElGamal paper notations[4]. Z, N are respectively 
the sets of integers and non-negative integers. For every positive integer n, we denote by 
Z n the finite ring of modular integers and by Z* the multiplicative group of its invertible 
elements. Let a, b, c be three integers. The great common divisor of a and b is denoted 
by gcd(a, b). We write a = b [c] if c divides the difference a — b, and a = b mod c if a is 
the remainder in the division of b by c. The positive integer a is said to be B-smooth[8, 
p. 92], B e N, if every prime factor of a is less than or equal to the bound B. 
We start, in the next section, by preliminaries containing known mathematical facts that 
will be exploited later. 

2 Preliminaries 

Before exploring new situations under which one can forge ElGamal digital signature, we 
briefly review three questions that are directly related to our result. 

2.1 Discrete logarithm problem when p — 1 is B-smooth 

The discrete logarithm problem importance started to grow with the publication in 1976 
of the fundamental work of Diflie and Hellman[3,ll]. The issue became central in public 
key cryptography. 

Let p be a prime integer and a a primitive root of Z* . We consider the discrete logarithm 
equation 

a x = y [p] (1) 
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where y is fixed in {1, 2, 3, . . . ,p — 1}, and x is unknown in {0, 1, 2, ... , p — 2}. 
In 1978, Pohlig and Hellman[12] published a practical method to solve equation (1) when 
all the prime factors of p — 1 are not too large. Let us recall the outlines of their algorithm. 
Assume that p — 1 is B-smooth. The bound B depends on the computers power. This 
implies that we can obtain the prime factorization of p — 1 : p — 1= p™ 1 p^ . . . p^ fe where 
nj, ki G N* for 1 < % < k. We will first find x modulo p™' for every i G {1, 2, . . . , k} and 
apply the Chinese Remainder Theorem[8, p. 68] to compute x modulo p\ x p^ . . . p^. h ■ 
The pi-ary representation of Xi — x mod p™ 1 can be written as : 

xi = b + h Pl + . . . + 6 ni _! p™ 1 " 1 (2) 

where b , b±, . . . , b ni _ x are unknown in {0, 1, . . .p\ — 1}. 

Let X l = pi 1-1 p n 2 2 ... p\ k . We have X l Xl = \ 1 b + K x (p - 1), K x G N. Since a Kl ^ = 
1 [p], equation (1) can be transformed to a Ai:Cl = y Al [p] and therefore 

« Alb0 =|/ Al [p] (3) 
From equation (3) we obtain the first coefficient b . 

Similarly, if A 2 = pT~ 2 p7 ■ ■ ■ v\\ then \ 2 x x = \ 2 b + \ 2 b lPl + K 2 (p - 1), K 2 G N. As 
a K 2 (p-i) = ^ ^ e q Ua tion (1) becomes a A2:El = y A2 [p] and therefore 

Q ,A 2 6o+A 2 6ip 1 = y \2 [p] (4) 

We get the second coefficient &i from equation (4). 

Gradually, we compute bo, b±, b 2 , ■ ■ ■ , & m -i and then determine Xi. This is computation- 
ally possible since 2™ 1 < p — 1 and then rii < — ^ -. In other word, rii is bounded by 

In 2 

the bit length of p — 1. 

We repeat the technique with p 2 ,P3, . . . ,Pk and arrive to the following system of congru- 
ences : 



x = Xl [p? 1 ] 

X = X 2 jp2 2 ] 



(5) 



x = x k \p n k 



Natural index k is not too large since k < rii < — . Hence, system (5) can 

j ' in _ 

i=i 

efficiently be solved by the Chinese Remainder Theorem method whose running time is 
0(ln 2 p) bit operations. The complexity of Pohlig-Hellman algorithm is 0(Yli=i nj(lnp + 
y/Pi)) bit operations [12, 9, p. 108]. 
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2.2 ElGamal signature algorithm 

We recall the basic ElGamal protocol[4,19,8] in three steps. 

1. Alice begins by choosing three numbers p, a and x such that : 

- p is a large prime integer. 

- a is a primitive root of the finite multiplicative group Z*. 

- x is a random element taken in {1, 2, ... ,p — 2}. 

She computes y = a x mod p and publishes the triplet (p, a, y) as her public key. She 
keeps secret the parameter x as her private key. 

2. Suppose that Alice desires to sign the message m < p. She must solve the modular 
equation 

a m = y r r s {p] (6) 
where r and s are two unknown variables. 

Alice computes r = a k mod p, where k is selected randomly and is invertible modulo p — 1. 
She has exactly ip(p — 1) possibilities for k, where ip is the phi-Euler function. Equation 
(6) is then equivalent to : 

m = x r + k s [p — 1] (7) 

As Alice possesses the secret key x, and as the integer k is invertible modulo p — 1, she 
computes the second unknown variable s from relation (7) by : 

_m-xr 

s = [p - 1] (8) 

The inverse modulo p — 1 of the integer k in equation (8) is computed by the extended 
Euclidean algorithm whose complexity is 0(\n 2 p) bit operations. 

3. Bob can verify the signature by checking that congruence (6) is valid. 

Observe that, in step 1., we need to know how to construct signature keys. Generally, 
the running time for generating prime integers takes the most important part in the total 
running time. In [6], we made experimental tests and concluded by suggesting some rapid 
procedures. In step 2., the random integer k must be kept secret, otherwise relation (7) 
allows any adversary to obtain Alice private key x. The fact of having many possibilities 
for the valid pairs (r, s) does not affect the system security. Indeed, these pairs are 
uniformly distributed [18]. 

To prevent obvious attacks against ElGamal signature scheme, some of theme mentioned 
in the original paper [4], it is necessary to work with a free collision hash function h. The 
message M is simply replaced by m = h(M) before applying the signature algorithm. We 
can take h equal to the secure hash algorithm SHA1[19. p!39, 8. chap9]. 
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2.3 Bleichenbacher's attack 



In Eurocrypt'96 meeting, Bleichenbacher indicated a possible weakness in the ElGamal 
signature scheme if the keys are not properly chosen[2,l]. His ideas are summarized in 
his main theorem. 

Theorem l.[2] Let p — 1 = bw where b is B-smooth and let ua = ol xa [p] be the public 
key of user A. If a generator (3 = cw with < c < b and an integer t are known such 
that j3 f = a [p] then a valid signature (r, s) on a given ft, can be found. 

This theorem has the immediate consequence : 

Corollary l.[2] If at is B-smooth and divides p — 1, then it is possible to generate a valid 
ElGamal signature on an arbitrary value h. 

Now, we can move to the next section where we expose our contribution. 



3 Our contribution 

In this section, we present our main result. The first sufficient condition for forging 
ElGamal signature is based on a slight simplification of Bleichenbacher's theorem. More 
precisely, we have : 

Theorem 2. Let (p,a,y) be Alice public key in an ElGamal signature scheme. If an 

adversary can compute a nonnegative integer k < p — 2, relatively prime to p— 1 and such 
p-1 

that — r ; — r is B-smooth, then he will be able to forge Alice signature. 

gcd(p — 1, or mod p) 

Proof. We follow the method used in [2]. Let (p, a, y) be Alice public key in an ElGamal 

signature protocol. If we put D = gcd{p — l,a k mod p), then there exist two coprimes 

Pi and ai such that p — 1 = Dpi and a k mod p = Dai. Let H be the subgroup of Z* 

generated by the particular element a D mod p. Since y = a x [p], where the natural integer 

x is Alice secret key, we have y D = (a D ) x [p] and then y D modp e H. By hypothesis, the 

p—1 

order of the subgroup H, — = pi is B-smooth, so the discrete logarithm equation 

(a D ) x = y D [p] (9) 

can be solved in polynomial time. Hence there exists x e N such that (a D ) x ° = y D [p\. 
To forge Alice signature for a message M, and a hash function h, if the adversary puts 
m = h(M), he must find two positive integers r, s such that a m = y r r s [p\. If he chooses 
r = a k modp, he will have the equivalences : 
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So (r, s) is a valid signature for the message M, obtained without knowing Alice secret 
key. 



If the first valid exponent k in our Theorem 2 is not too large, the adversary can construct 
the following deterministic algorithm in order to forge ElGamal signature. Consequently, 
we recommend that when selecting the signature keys, we have to verify that for any 
k < Kq, where gcd(k,p — 1) = 1 and K is the largest bound allowed by computer power, 



Algorithm 1 

Input : Alice public key (p, a, y) and the message M to be signed. 
Output : The signature (r, s) of M. 

1. Read(jo, a, y); {(p,a,y) is Alice public key}. 

2. Read(M); m:=h(M); {m is the hashed of the message to be signed}. 

3. j < 1; {Initialization of integers j which play the role of exponents k}. 

4. F <- 0; {F is a flag}. 

5. While (F=0) do 

5.1. j ^— j + 2; {j must be invertible modulo p — 1, so j is odd}. 

5.2. If gcd(p — 1, j) = 1 then 

5.2.1. r ^— a J mod p; { r will be the first parameter of the signature}. 

5.2.2. D ^— gcd(p — l,r); { D will be the exponent in equation (9)}. 

5.2.3. If (p - 1)/D is B-smooth, then 

5.2.3.1 k ^— j; { k is the searched exponent of a}. 

5.2.3.2 F <- 1; { To stop the while loop}. 

6. x 4- A; {A is a solution of equation (9), obtained by Pohlig-Hellman algorithm [12]}. 

7. s i mod (p — 1); {s is the second parameter of the signature}. 

k 

8. Return(r, s); {(r,s) is the digital signature}. 

Our theorem 2 has a first remarkable consequence : if Q denotes the part of the prime 
factorization of p — 1 that is not B-smooth and if a k mod p, for some k G N, is a multiple 
of Q then ElGamal signature scheme is insecure. More formally : 

Corollary 2. Let p™ 1 p% 2 ■ ■ ■ p^ k g™ 1 % 2 . . . g™ ! be the classical prime factorization of p — 1, 




□ 



the integer 



p — 1 



has at least one large prime factor. 



<?cd(p — 1, a k mod p) 
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where p" 1 p^ 2 . . .p^ r is B-smooth. If an adversary can compute a natural integer k, k < 
p — 2, relatively prime to p — 1 and such that a k mod p is a multiple of Q = g™ 1 q^ 2 ■ ■ ■ q™\ 
then he will be able to forge Alice signature for any arbitrary message M. 

Proof. Observe, first, that a is not necessary a divisor of p — 1, nor a B-smooth integer. 

Since a k mod pis a multiple of Q, we have Q divides gcd(p—l, a k mod p). So p™ 1 p 1 ^ ■ ■ ■ p^ k 

p—1 p—1 

is a multiple of — r ; — -, and then — z — - is B-smooth. We 

gcd(p — l,cr mod p) gcd(p — l,cr mod p) 

conclude by applying Theorem 2. 

□ 

If the first valid exponent k is not too large, Corollary 2 leads to a more practical algorithm 
for forging ElGamal signature. 

Algorithm 2 

Input : Alice public key (p, a, y) and the message M to be signed. 
Output : The signature (r, s) of M. 

1. Read(p, a, y); {(p,a,y) is Alice public key}. 

2. Read(M); m:=h(M); {m is the hashed of the message to be signed}. 

3. Qo ^— Q; {Q is the part of p — 1 that is not B-smoot}. 

4. j < 1; {Initialization of integers j which play the role of exponents k}. 

5. F <- 0; {F is a flag}. 

6. While (F=0) do 

6.1. j ^— j + 2; {j must be invertible modulo p — 1, so j is odd}. 

6.2. If gcd(p — l,j) = 1; then 

6.2.1. r ^— mod p; { r will be the first parameter of the signature}. 

6.2.2. If r mod Q = then 

6.2.2.1. k <r- j; { k is the searched exponent of a}. 

6.2.2.2. F <- 1; { To stop the while loop}. 

7. D <r- gcd(p — l,r); { £) will be the exponent in equation (9)}. 

8. xo ^— A; {A is a solution of equation (9), obtained by Pohlig-Hellman algorithm [12]}. 

9. s < — — mod (p — 1); {s is the second parameter of the signature}. 

k 

10. Return(r, s); {(r,s) is the digital signature}. 

Next result, which can be seen as an extension of Blechenbacher's Corollary 1, shows that 

in an ElGamal signature scheme, it is not secure to have a primitive root whose modular 

p+1 

inverse divides p—1. In particular, as a primitive root, a = — - — is not recommended 
since its inverse is 2. More explicitly : 
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Corollary 3. Let (p, a, y) be Alice public key in an ElGamal signature protocol. An 
adversary can forge Alice signature for any given message if one of the following conditions 
is satisfied : 

a) p = 1 [4], a is B-smooth and divides p — 1. 

b) p = 1 [4], — mod p is B-smooth and divides p — 1. 

ot 

c) a is B-smooth and divides p — 1. 

Proof, a) Put p — 1 = aQ. As a is a primitive root, we have a^ p ~ 1 ^ 2 = —1 [p], and 

so a k = Q [p] where k = (p — 3)/2. Consequently gc<i(p — l,a fe mod p) = Q and then 
p — 1 

a which is smooth and this allows the use of our theorem 2. 



gcd(p — l,a k mod p) 

1 

b) It is easy to see that a is a primitive root modulo p if and only if — mod p is a 

1 CK 

primitive root. Suppose that — mod p is B-smooth and divides p — 1. If the public key 

a 

1 1 

was (p, — mod p, — mod p), and the private key was the same parameter x, an adversary 
'> // 

would be able to forge the signature and to find two valid integers (ri, Si) for any arbitrary 
message M. With (r, s) = (r 1? —si mod p — 1), the adversary forges Alice signature for 
the message M. Indeed, ElGamal equation (1) is equivalent to 

(V = (V 1 (ri)' Sl [p] (10) 
a y 

c) If p = 1 [4], then the affirmation is true from case a). Assume then that p = 3 [4] and 
put p = 3 + AK, K E N*. As a is a primitive root, we have a^ -1 )/ 2 = —1 [p], and then 
a 2 (a (p ~ 5)/2 modp) = p-1. Let fc = (p-5)/2. Since fc = 2K—1, gcd(p-l, k) divides 4 and 

as k is odd, gcdip — l, k) = 1. On the other hand — r ; — r = — r ; — = a 2 

(7cct(p — 1, a fe rnorf p) a fe moct p 

is B-smooth which allows us to apply theorem 2 and achieve the proof. 

□ 

Before concluding, we give the following theoretical theorem relative to the number of 
exponents k figuring in Corollary 2 and Algorithm 2. 

Theorem 3. Let a be a primitive root of the multiplicative group Z*. For any fixed 
integer Q such that 1 < Q < p — 1, if we set 

E a = {keN/l<k<p-2, gcd(p - 1, k) = 1, and Q divides a k mod p} (11) 

then the cardinality of E a is independent of the choice of the primitive root a. 

Proof. Let a, f3 be two fixed primitive roots of Z*. It is well-known that there exists 
i E {1, 2, . . . ,p — 2} such that gcd(p — l,i) = 1 and a = (5 l [p]. Consider then the 
function : 
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/ : E a — > Ep 

k^t ik mod (p — 1) 

First we have f(k) e Ep, where Ep is defined like E a in relation (13). Indeed gcd(p — 
1, ik mod (p — 1)) = gcd{p — 1, ik) = 1 since gcd{p — 1, k) — gcd(p — 1, i) — 1. 
On the other hand /3 ifc mod (p ~ 1} = = a fc [p], so Q divides /3 ifc mod (p " 1} mod p and 
therefore ik mod (p — 1) & Ep. 

Let us now establish that / is an injective function. We have successively : 

f(k) = f(k') =^> ik mod (p — 1) = ik' mod (p — 1) ik = ik' [p — 1] k = k' \p — 1] 

since % is invertible modulo p — 1. As 1 < k, k! < p — 2, we obtain that k = k' . 

Since / is injective Card(E a ) < Card(Ep) and by interchanging the role of the parameters 

a and (3, we find that Card(Ep) < Card(E a ) and so Card(E a ) = Card(Ep). This means 

that Card(E a ) is a constant depending only of the two integers p and Q. 

□ 

4 Conclusion 

In this paper, we described new conditions on parameters selection that can lead to an 
efficient deterministic algorithm for forging ElGamal digital signature. Our approach is 
based on the work of Bleichenbacher presented at Eurocrypt'96 conference [2]. 
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